NIST Cybersecurity Framework (CSF)

In 2013, US President Obama issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which called for the development of a voluntary risk-based cyber security framework that provided a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to managing cyber security risk for critical infrastructure services.

A framework was duly developed in the US through an international partnership of small and large organisations, including owners and operators of the nation’s critical infrastructure, led by the National Institute of Standards and Technology (NIST).

NIST Cybersecurity Framework overview

The NIST CSF was designed with the intent that individual businesses and other organisations use an assessment of the business risks they face to guide their use of the framework in a cost-effective way.

The framework is divided into three parts: the Framework Core, Framework Implementation Tiers and Framework Profiles:

The Framework Core is a set of activities, outcomes and references that detail approaches to aspects of cyber security. The core comprises five functions, which are subdivided into 22 categories (groups of cyber security outcomes) and 98 subcategories (security controls).

Framework Implementation Tiers are used by an organisation to clarify for itself and its partners how it views cyber security risk and the degree of sophistication of its management approach.

A Framework Profile is a list of outcomes that an organisation has chosen from the categories and subcategories, based on its business needs and individual risk assessments.

Implementing the framework

An organisation typically starts by using the framework to develop a profile that describes its current cyber security activities and their outcomes. It can then develop a target profile, or adopt a baseline profile that has been tailored to better match its critical infrastructure sector or the type of organisation. Steps can then be taken to close the gaps between its current profile and its target profile.

The following seven steps are used to create a new cyber security programme or improve an existing one. These steps should be repeated as necessary to continually improve and assess your cyber security:

Step 1: Prioritise and scope

Step 2: Orient

Step 3: Create a current profile

Step 4: Conduct a risk assessment

Step 5: Create a target profile

Step 6: Determine, analyse and prioritise gaps

Step 7: Implement action plan

Although there is no mandatory, legal or regulatory requirement that stipulates that organisations must implement the CSF, some organisations do have contractual requirements passed down to them from their clients and suppliers to use and implement the CSF.

Speak to an expert

We can assist with the full NIST CSF implementation process, from project scoping and risk assessment right through to advising on the necessary remediation measures to implement your action plan. Get in touch today to find out more.